From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 28 Aug 2012 16:43:10 +0000 (-0700)
Subject: 3.5-stable patches
X-Git-Tag: v3.5.4~41
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=83bc8f078e06146bc6d7ed01ad90a001f094be21;p=thirdparty%2Fkernel%2Fstable-queue.git

3.5-stable patches

added patches:
	audit-don-t-free_chunk-after-fsnotify_add_mark.patch
	audit-fix-refcounting-in-audit-tree.patch
	drm-stop-vmgfx-driver-explosion.patch
	revert-drm-radeon-fix-bo-creation-retry-path.patch
---

diff --git a/queue-3.5/audit-don-t-free_chunk-after-fsnotify_add_mark.patch b/queue-3.5/audit-don-t-free_chunk-after-fsnotify_add_mark.patch
new file mode 100644
index 00000000000..e84ebdd7a1a
--- /dev/null
+++ b/queue-3.5/audit-don-t-free_chunk-after-fsnotify_add_mark.patch
@@ -0,0 +1,49 @@
+From 0fe33aae0e94b4097dd433c9399e16e17d638cd8 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Wed, 15 Aug 2012 12:55:22 +0200
+Subject: audit: don't free_chunk() after fsnotify_add_mark()
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit 0fe33aae0e94b4097dd433c9399e16e17d638cd8 upstream.
+
+Don't do free_chunk() after fsnotify_add_mark().  That one does a delayed unref
+via the destroy list and this results in use-after-free.
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Acked-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_tree.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -259,7 +259,7 @@ static void untag_chunk(struct node *p)
+ 
+ 	fsnotify_duplicate_mark(&new->mark, entry);
+ 	if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) {
+-		free_chunk(new);
++		fsnotify_put_mark(&new->mark);
+ 		goto Fallback;
+ 	}
+ 
+@@ -322,7 +322,7 @@ static int create_chunk(struct inode *in
+ 
+ 	entry = &chunk->mark;
+ 	if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) {
+-		free_chunk(chunk);
++		fsnotify_put_mark(entry);
+ 		return -ENOSPC;
+ 	}
+ 
+@@ -396,7 +396,7 @@ static int tag_chunk(struct inode *inode
+ 	fsnotify_duplicate_mark(chunk_entry, old_entry);
+ 	if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) {
+ 		spin_unlock(&old_entry->lock);
+-		free_chunk(chunk);
++		fsnotify_put_mark(chunk_entry);
+ 		fsnotify_put_mark(old_entry);
+ 		return -ENOSPC;
+ 	}
diff --git a/queue-3.5/audit-fix-refcounting-in-audit-tree.patch b/queue-3.5/audit-fix-refcounting-in-audit-tree.patch
new file mode 100644
index 00000000000..e83d408fd5c
--- /dev/null
+++ b/queue-3.5/audit-fix-refcounting-in-audit-tree.patch
@@ -0,0 +1,87 @@
+From a2140fc0cb0325bb6384e788edd27b9a568714e2 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@suse.cz>
+Date: Wed, 15 Aug 2012 12:55:22 +0200
+Subject: audit: fix refcounting in audit-tree
+
+From: Miklos Szeredi <mszeredi@suse.cz>
+
+commit a2140fc0cb0325bb6384e788edd27b9a568714e2 upstream.
+
+Refcounting of fsnotify_mark in audit tree is broken.  E.g:
+
+                              refcount
+create_chunk
+  alloc_chunk                 1
+  fsnotify_add_mark           2
+
+untag_chunk
+  fsnotify_get_mark           3
+  fsnotify_destroy_mark
+    audit_tree_freeing_mark   2
+  fsnotify_put_mark           1
+  fsnotify_put_mark           0
+  via destroy_list
+    fsnotify_mark_destroy    -1
+
+This was reported by various people as triggering Oops when stopping auditd.
+
+We could just remove the put_mark from audit_tree_freeing_mark() but that would
+break freeing via inode destruction.  So this patch simply omits a put_mark
+after calling destroy_mark or adds a get_mark before.
+
+The additional get_mark is necessary where there's no other put_mark after
+fsnotify_destroy_mark() since it assumes that the caller is holding a reference
+(or the inode is keeping the mark pinned, not the case here AFAICS).
+
+Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
+Reported-by: Valentin Avram <aval13@gmail.com>
+Reported-by: Peter Moody <pmoody@google.com>
+Acked-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit_tree.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/kernel/audit_tree.c
++++ b/kernel/audit_tree.c
+@@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
+ 		spin_unlock(&hash_lock);
+ 		spin_unlock(&entry->lock);
+ 		fsnotify_destroy_mark(entry);
+-		fsnotify_put_mark(entry);
+ 		goto out;
+ 	}
+ 
+@@ -293,7 +292,6 @@ static void untag_chunk(struct node *p)
+ 	spin_unlock(&hash_lock);
+ 	spin_unlock(&entry->lock);
+ 	fsnotify_destroy_mark(entry);
+-	fsnotify_put_mark(entry);
+ 	goto out;
+ 
+ Fallback:
+@@ -332,6 +330,7 @@ static int create_chunk(struct inode *in
+ 		spin_unlock(&hash_lock);
+ 		chunk->dead = 1;
+ 		spin_unlock(&entry->lock);
++		fsnotify_get_mark(entry);
+ 		fsnotify_destroy_mark(entry);
+ 		fsnotify_put_mark(entry);
+ 		return 0;
+@@ -412,6 +411,7 @@ static int tag_chunk(struct inode *inode
+ 		spin_unlock(&chunk_entry->lock);
+ 		spin_unlock(&old_entry->lock);
+ 
++		fsnotify_get_mark(chunk_entry);
+ 		fsnotify_destroy_mark(chunk_entry);
+ 
+ 		fsnotify_put_mark(chunk_entry);
+@@ -445,7 +445,6 @@ static int tag_chunk(struct inode *inode
+ 	spin_unlock(&old_entry->lock);
+ 	fsnotify_destroy_mark(old_entry);
+ 	fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
+-	fsnotify_put_mark(old_entry); /* and kill it */
+ 	return 0;
+ }
+ 
diff --git a/queue-3.5/drm-stop-vmgfx-driver-explosion.patch b/queue-3.5/drm-stop-vmgfx-driver-explosion.patch
new file mode 100644
index 00000000000..5ed636f8d91
--- /dev/null
+++ b/queue-3.5/drm-stop-vmgfx-driver-explosion.patch
@@ -0,0 +1,51 @@
+From f5869a8308f77e3dfdc2e3640842b285aa788ff8 Mon Sep 17 00:00:00 2001
+From: Alan Cox <alan@linux.intel.com>
+Date: Mon, 20 Aug 2012 14:44:52 +0000
+Subject: drm: stop vmgfx driver explosion
+
+From: Alan Cox <alan@linux.intel.com>
+
+commit f5869a8308f77e3dfdc2e3640842b285aa788ff8 upstream.
+
+If you do a page flip with no flags set then event is NULL. If event is
+NULL then the vmw_gfx driver likes to go digging into NULL and extracts
+NULL->base.file_priv.
+
+On a modern kernel with NULL mapping protection it's just another oops,
+without it there are some "intriguing" possibilities.
+
+What it should do is an open question but that for the driver owners to
+sort out.
+
+Signed-off-by: Alan Cox <alan@linux.intel.com>
+Reviewed-by: Jakob Bornecrantz <jakob@vmware.com>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_kms.c |    6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c
+@@ -1688,15 +1688,19 @@ int vmw_du_page_flip(struct drm_crtc *cr
+ 	struct vmw_private *dev_priv = vmw_priv(crtc->dev);
+ 	struct drm_framebuffer *old_fb = crtc->fb;
+ 	struct vmw_framebuffer *vfb = vmw_framebuffer_to_vfb(fb);
+-	struct drm_file *file_priv = event->base.file_priv;
++	struct drm_file *file_priv ;
+ 	struct vmw_fence_obj *fence = NULL;
+ 	struct drm_clip_rect clips;
+ 	int ret;
+ 
++	if (event == NULL)
++		return -EINVAL;
++
+ 	/* require ScreenObject support for page flipping */
+ 	if (!dev_priv->sou_priv)
+ 		return -ENOSYS;
+ 
++	file_priv = event->base.file_priv;
+ 	if (!vmw_kms_screen_object_flippable(dev_priv, crtc))
+ 		return -EINVAL;
+ 
diff --git a/queue-3.5/revert-drm-radeon-fix-bo-creation-retry-path.patch b/queue-3.5/revert-drm-radeon-fix-bo-creation-retry-path.patch
new file mode 100644
index 00000000000..e09aad4f055
--- /dev/null
+++ b/queue-3.5/revert-drm-radeon-fix-bo-creation-retry-path.patch
@@ -0,0 +1,41 @@
+From 676bc2e1e4f9072f7a640d5b7c99ffdf9709a6e7 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 21 Aug 2012 09:55:01 -0400
+Subject: Revert "drm/radeon: fix bo creation retry path"
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 676bc2e1e4f9072f7a640d5b7c99ffdf9709a6e7 upstream.
+
+This reverts commit d1c7871ddb1f588b8eb35affd9ee1a3d5e11cd0c.
+
+ttm_bo_init() destroys the BO on failure. So this patch makes
+the retry path work with freed memory.  This ends up causing
+kernel panics when this path is hit.
+
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_object.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_object.c
++++ b/drivers/gpu/drm/radeon/radeon_object.c
+@@ -138,6 +138,7 @@ int radeon_bo_create(struct radeon_devic
+ 	acc_size = ttm_bo_dma_acc_size(&rdev->mman.bdev, size,
+ 				       sizeof(struct radeon_bo));
+ 
++retry:
+ 	bo = kzalloc(sizeof(struct radeon_bo), GFP_KERNEL);
+ 	if (bo == NULL)
+ 		return -ENOMEM;
+@@ -151,8 +152,6 @@ int radeon_bo_create(struct radeon_devic
+ 	bo->surface_reg = -1;
+ 	INIT_LIST_HEAD(&bo->list);
+ 	INIT_LIST_HEAD(&bo->va);
+-
+-retry:
+ 	radeon_ttm_placement_from_domain(bo, domain);
+ 	/* Kernel allocation are uninterruptible */
+ 	mutex_lock(&rdev->vram_mutex);
diff --git a/queue-3.5/series b/queue-3.5/series
index 7b2c0588903..31c887fefe8 100644
--- a/queue-3.5/series
+++ b/queue-3.5/series
@@ -40,3 +40,7 @@ bluetooth-fix-using-a-null-inquiry-cache-entry.patch
 bluetooth-set-name_state-to-unknown-when-entry-name-is-empty.patch
 bluetooth-fix-legacy-pairing-with-some-devices.patch
 nfs-alias-the-nfs-module-to-nfs4.patch
+audit-don-t-free_chunk-after-fsnotify_add_mark.patch
+audit-fix-refcounting-in-audit-tree.patch
+drm-stop-vmgfx-driver-explosion.patch
+revert-drm-radeon-fix-bo-creation-retry-path.patch